[perl #122669] Don’t taint at compile time

 #!perl -T

 # tainted constant
 use constant K=>$^X;

 # Just reading the constant for the sake of folding can enabled
 # taintedness at compile time.
 0 if K;

 # Taintedness is still on when the ‘strict.pm’ SV is created, so
 # require croaks on it (‘Insecure dependency’).
 use strict;

The fix is simply not to propagate taintedness at compile time.
Hence, the value of K will still be tainted at run time (require(K)
croaks), but just reading the value of K at compile time won’t taint
subsequent string literals (or barewords treated as strings).

‘Compile time’ here is relative:  Taintedness still wafts about as
usual when BEGIN blocks are executed, because code is actually run-
ning.  It’s when code is being parsed that propagation is disabled.

The reason taint propagation could span across statements at compile
time was that *execution* of a new statement resets taintedness,
whereas parsing is oblivious to it.

1 files changed, 1 insertions, 1 deletions

diff --git a/mg.c b/mg.c
index e1fc578f8b..9dc0679f37 100644
--- a/mg.c
+++ b/mg.c
@@ -2237,7 +2237,7 @@ Perl_magic_gettaint(pTHX_ SV *sv, MAGIC *mg)
     PERL_UNUSED_ARG(mg);
 #endif
 
-    TAINT_IF((PL_localizing != 1) && (mg->mg_len & 1));
+    TAINT_IF((PL_localizing != 1) && (mg->mg_len & 1) && IN_PERL_RUNTIME);
     return 0;
 }